[clug] Pop quiz.. (DHCP and servers).

jm jeffm at ghostgun.com
Wed Jan 14 23:38:51 GMT 2009


Half true from what I've been told. First anything I say may be Entrasys 
specific as the guy I just asked about this is an Entrasys specialist. 
Any mistakes here are mine. You have been warned.

Your right in that various versions of operating systems have varying 
levels of support of 802.1x. The latest versions of windoze, and mac 
support it out of the box. Linux definately has support although I'm not 
sure which distros have it has a standard package. In order to  get 
around this your network infrastructure needs a fall back strategy. I 
know Entrasys will support fall back methods such as mac addresses and 
snooping on other authentication protocols to select the correct policy 
to apply to the switch port the device is plugged into. Note that this 
is a policy not just a decision to turn the port on or off. This means 
that a printer would have a policy which would only allow it to talk to 
the print server. As such, should the print be compromised it can not do 
anything to harm the rest of the network. Further, as a bonus everything 
the printer prints has to go through the print server so you can keep an 
accurate log of what is printed. This may be important in some 
situations. Likewise, you can apply a policy limits what a server or 
desktop machine can access - think ACLs on every port based on what the 
policy say the machine is allowed to do. In the case of desktop machines 
this can be assigned based on whois logged into the machine. Much better 
than having a choke point and over loading a firewall only to have much 
of you internal network unprotected.

To get back on track the lastest versions of the most popular OS all 
support 802.1x and where it's not available or casues grief  there are 
fall back strategies which can be applied on the fly automatically. To 
address the difficulties you raise about interoperability, once you 
tweak it to suit your needs, which is the hard bit needs, you should 
just have to make it part of you SOE as I'm assuming you would be making 
this part of a large rollout not just one or two machines.


Jeff.

Daniel Pittman wrote:
> That would be, as Andrew pointed out earlier, because you get caught up
> when something doesn't support 802.1x.  Given that includes common
> desktop platforms like Windows, Linux and MacOS, along with most
> appliances, you can see where the problems start.
>
> (and, yes, most of them can do 802.1x, but if you have ever tried to get
>  them interoperating, or configure it, you might not be so enthusiastic :)
>
> Regards,
>         daniel
>   


More information about the linux mailing list